Keeping lawmakers in the loop

Related Links

It is never too early to lay crucial political groundwork for ambitious information technology endeavors that are likely to draw either the attention of powerful lawmakers or the ire of vocal privacy groups — and the sting for the agency that runs afoul of both is mighty painful.

Officials from the Defense Advanced Research Projects Agency (DARPA) — the Defense Department's research and development shop — learned this lesson the hard way when they ventured out with an ambitious anti-terrorism effort.

That project, the Total Information Awareness (TIA) program, was shot down a year ago after privacy groups blasted the project and senators sympathetic to the groups' charges zeroed out its funding.

TIA's troubles hit early. The name quickly became a lightning rod for controversy. "It was a political target to begin with," said Ha Nguyen, a policy analyst with the Heritage Foundation.

"There is a substantive lesson here: that government should stop looking at programs that are designed — or at least appear on the surface to be designed — to lump together pools of suspects," said Chuck Peña, a senior defense policy analyst at the Cato Institute. "It will only raise the antennae of civil liberties groups and those concerned about the invasion of privacy."

What's more, TIA officials proposed a controversial technical concept: the ability to query their envisioned network of databases using models of potential terrorist behavior. Thus, national security users would not be limited to subject-based queries but would be able to conduct searches based on suspicious behavior, activities or patterns. For instance, electronic trails around particular places of travel or purchases could be used to develop pattern-oriented queries. Those then could be entered into the system to churn out lists of suspects engaged in similar activity.

This proposed use of predictive technology caused TIA to venture into uncharted territory and rankle privacy advocates.

"You cannot design an algorithm that will not include some form of political bias," said Gus Hosein, a senior fellow with Privacy International. "And if you do, it is likely to be pretty near to random searching. Also, I think we are forgetting that some of the people we are probably looking for appear to be quite normal and do very normal things. Being able to identify them through some magical process is a dream."

DARPA officials declined to be interviewed, and it is unclear whether TIA will rise from the ashes in another form. However, some third-party experts speculate that DOD officials might try to prove some of TIA's original concepts by proposing trials of a system that makes use of intelligence gathered on non-U.S. citizens.

Lessons learned

TIA's future is unclear, but some of the lessons surrounding the ill-fated program may prove useful for a number of agencies poised to move forward on politically sensitive IT initiatives, especially those involving law enforcement or anti-terrorism goals.

On the highest level, learn from DARPA's mistakes, urged Carol Guthrie, communications director for Sen. Ron Wyden (D-Ore.), who was instrumental in TIA's shutdown. Now, Wyden is co-sponsoring legislation that calls for the Homeland Security Department to build strong privacy considerations and safeguards into initiatives.

"Sen. Wyden wants to see the consideration of privacy and civil liberties at the outset of new anti-terrorism initiatives, instead of as an afterthought," she said. "He wants to see federal agencies work with that in mind, and he believes they're more likely to do so since TIA generated such a strong response from the American people."

Specifically, many sources agreed that agencies will want to tread lightly when proposing to integrate or link law enforcement databases, especially when proposals entail expanding government access to private repositories.

Maintaining a certain level

of caution, however, is particularly tough, because there is a tremendous push to connect pieces of information among agencies at all levels of government.

"If the right person sees the right thing and makes a connection, they might be able to stop terrorist incidents before they happen," said Jeffrey John, ITA Inc.'s deputy director of homeland security. Before joining the anti-terrorism products and services company, John was unit chief of counterterrorism and strategic training at the FBI.

Because cohesion of information across agencies' boundaries is so crucial to fighting terrorism — but remains a huge source of friction with privacy groups — John and others stress the potential benefits of government leaning more heavily on industry for early stage technology development in these areas.

"There is technology out there to do so much more," he said.

Agency officials can hand off politically sensitive R&D tasks. Although research involves only the testing of concepts and not the handling of actual personal data, allowing contractors to do it can help agency officials clearly draw a line between technology development and policy work. TIA proved beyond a shadow of a doubt the importance of keeping those two functions separated, said Phil Anderson, vice president of government relations and strategy at Lucent Technologies.

"We need to look at the technology we are trying to develop and take the politics out of that process," Anderson said. "Industry is in a position to do that without threatening anyone's privacy freedoms."

By offloading some of the more ticklish R&D tasks to industry, agencies could also free up internal staff to craft privacy plans and policies for the use of information and make sure those policy exercises dovetail with technology plans. Those are components that Wyden and other lawmakers will surely look for in the future before blessing funding provisions for developing anti-terrorism systems, many experts agreed.

Regardless of whether agencies decide to outsource early stage R&D to industry or keep those efforts in-house, the TIA debacle proved agency officials' need to repeatedly drive home the point that research is just an exercise designed to prove a technical concept and may never lead to any real applications.

It was a point DARPA officials did not make often enough, Nguyen said. "DARPA is known for the research it does on things that are really out-of-the-box, and it does a lot of research on things that are never developed," she said. "This is what DARPA is there for, and it is one reason why TIA was an effort with so many components lumped together."

Whether embarked on an effort that is mere research or one that is destined for rollout, an agency's officials also must work hard to demystify the technology it wants to harness and explain carefully to lawmakers and other interested parties how the technology will be used, Nguyen said.

"A popular concern with TIA surrounded this concept of a pattern-finding program, which was perceived as a way to run a bunch of government and private data through the system and determine who was most likely to be a terrorist," Nguyen said.

"But in fact, DOD was indicating that when they developed the program, the technology would only generate leads to show individuals who had had contact with certain organizations. This information would then amount to a lead in an investigation," she said, adding that those leads would still have been subject to legal safeguards.

The TIA experience provided an important lesson in communication, according to observers. The lesson: When it comes to system development that touches sensitive political areas, talk to lawmakers early and often.

Purpose: Prototype network of databases to provide cohesive information to law enforcement officials, the development of pattern recognition, and analysis and decision-making tools for counterterrorism analysts.

Status: After TIA came under intense criticism from privacy groups, Congress killed the program in September 2003 by eliminating funding.

Technology fast facts

The Total Information Awareness program was canceled before Defense Advanced Research Projects Agency officials were able to develop specific solutions to power the prototype network designed to span databases in different agencies. Technical capabilities they were pursuing included:

The Census Bureau hasn't established a time frame for its cloud computing plans, including testing for scalability, security, and privacy protection, as well as determining a budget for cloud services.